I recently participated in a Business Hour at our Cleveland office called An FBI briefing on the Cyber Threat: Data Privacy in a changing legislative landscape, along with my colleague Jim Giszczak and FBI Special Agent David Morgan. We discussed how many industries – retailers, hospitals, universities, accounting firms, and many more – have faced serious data breaches, and suffered the staggering costs associated with those breaches. We also discussed the increased regulatory enforcement, including changes in state law, detailed some proactive compliance and data breach response measures, and how the FBI can help. Our audience asked a few questions.
What are the best ways to prevent a “Target-type” breach?
DP: Organizations are never going to completely prevent a data breach from occurring, but there are certainly proactive measures that can be implemented to minimize the risk of a breach and certainly reduce the costs and effects if there is indeed a breach. It is critical that organizations assemble their incident response team now (while things are calm) and implement a thorough incident response plan. Your plan should set forth critical stakeholders from within and outside the organization in legal, IT, risk, human resources, marketing, finance and public relations/communications. Given the rise in employee-related breaches (whether due to a rogue employee or an employee’s negligence) it is important to implement appropriate employee policies and training to your workforce that handles personally identifiable information. Organizations should also review their document retention protocols and properly destroy personally identifiable information when it is no longer needed for a legitimate business purpose.
Florida recently changed its data privacy legislation with new notification requirements for when a breach is detected. Can you elaborate on this?
DP: Florida passed the Florida Information Protection Act of 2014 (FIPA), which became effective July 1, 2014, and replaced the prior breach notification law. The major changes under FIPA are as follows:
- Shorter timeline to notify – this has been reduced from 45 days to 30 days (from date of discovery of the incident)
- Expanded definition of Personally Identifiable Information (PII) – passport number, medical information, and e-mail/username in combination with password/security question have been added to Florida’s definition of PII.
- Notice to Florida Attorney General – in cases of 500 or more records of Florida PII, the Florida AG must be notified of the incident within 30 days of discovery. In addition, the Florida AG has the right to ask a reporting organization for a police report, incident report, or computer forensics report regarding the incident; a copy of the policies in place regarding breaches; and/or steps that have been taken to rectify the breach.
- Proactive measures required – Although not specific, FIPA now explicitly requires organizations to take reasonable measures to protect and secure personal information.
- Vendor notification - Under FIPA, third-party vendors that experience a breach must now notify the covered entity of the breach within 10 days following determination of the breach or reason to believe the breach occurred.
- Federal exemption - FIPA’s exemption to notifying individuals if a HIPAA covered entity complies with federal regulatory notification requirements applies only if the covered entity actually notifies the individuals. Thus, if a covered entity does not notify an individual in accordance with HIPAA, then FIPA’s exemption does not apply. This may occur when a covered entity determines that notification under HIPAA is unnecessary, yet notification under FIPA may still be required.
For a complete summary of FIPA, please see our alert Florida raises the bar on data privacy, security and breach notification with passage of new law.
Is any particular industry investing in cyber insurance over others?
DP: Nearly every industry should be focused on cybersecurity. As was stated in our Business Hour, the companies most vulnerable to cyber attacks are “those that are connected to the Internet and those that have employees."
How safe is "The Cloud" and how does that affect notification obligations?
DP: Although we are seeing a major shift in companies sending data to “the cloud”, the notification obligations do not shift to the cloud provider. If a breach occurs in the cloud, which often occurs, the organization is still deemed the “owner” of the data and must notify the affected individuals. You should review your vendor agreements and make sure that they contain strong indemnification provisions, along with notice requirements and express assurances that the vendor maintains appropriate privacy and security policies relative to personal information.
You can view the entire webcast on our website here.